I hack therefore I am

Download here the files for the challenge:

• Binaries (what you have to crack!)
• Sources (with different passwords) + other info

and see the description of the levels below! Do not miss the presentation at 14:00…

LEVEL 0
When the bitstream is loaded, the FPGA expects a 16-bit password which is shifted bit per bit using two pins. If the password is good, you are rewarded with an Arduino-style LED show. The participants will have to discover this password. This level is solvable using common techniques and is intended to give a rough overview of how FPGAs work in practice and what hardware security is about. Participants who think it’s trivial are encouraged to skip it and proceed directly to level 1.
Participants are given the bitstream, the NeoCAD Circuit Description (NCD) that they can examine with FPGA Editor, and the Verilog source code (of course, with a different password).

LEVEL 1
Same as Level 0, but this time, the password is 64-bit. Participants are given the same files.

LEVEL 2
This time, the security device is embedded into a complex system-on-chip (based on Milkymist [6]) comprised of a microprocessor, memories and serial port – all implemented on the same FPGA. A software program run on the FPGA softcore processor will talk to the security device and send it a password to make it reveal a built-in secret information. Participants will have to find out that secret. This level is harder than the previous one because the security device will be buried among thousands of FPGA logic cells comprising the system-on-chip and connected to it through an on-chip bus.
Participants are still given the NCD file and the source code, making the task significantly easier.

LEVELS 3-5
They are the same as levels 0-2, but without the NCD! (and different passwords of course).
Those are obviously the most interesting levels, as when you are working with a real security system, they will never give you the NCD. Reverse engineering bitstreams involves good knowledge of the FPGA’s internal structure (the previous levels should have gotten you some of this), mastery of Boole algebra and logic functions manipulations, and expertise with file format reverse engineering. There is an existing effort [8].

REFERENCES
[1] http://www.cl.cam.ac.uk/~sd410/papers/fpga_security.pdf
[2] http://spectrum.ieee.org/semiconductors/design/the-hunt-for-the-kill-switch
[3] http://www.xilinx.com/products/devkits/aes_sp3a_eval400_avnet.htm
[4] http://lekernel.net/blog/?p=668
[5] http://lekernel.net/blog/?p=429
[6] http://www.milkymist.org
[7] http://www.milkymist.org/wiki/index.php?title=Installing_the_Spartan_3A_evaluation_kit_mini-port
[8] http://www.ulogic.org
[9] http://lekernel.net/blog
[10] http://lekernel.net/blog/?p=975

There is a change in the program with a new speech “Peeking into Pandora’s Bochs: instrumenting a full system emulator to analyse malicious software” by Lutz Böhne (RedTeam Pentesting GmbH) which will be replacing BSDaemon talk (we’re really sorry he cannot attend the conference, that would have been great to see Rodrigo here. Next time!).

Abstract:
Today, malicious software (malware) poses a major threat to computer systems. Oftentimes, malware is runtime-packed (or -encrypted) to evade signature-based malware detectors and to make the actual malicious code inaccessible to static analysis methods. It is also common for the runtime unpacking (or decryptor) stubs to employ anti-debugging techniques to prevent dynamic analysis and manual unpacking by human analysts. Pandora’s Bochs was originally developed as a tool to unpack runtime-packed binaries. The open source PC emulator Bochs’s instrumentation facilities were extended with a Python interface and a set of Python routines was created to monitor an unmodified Windows XP guest system. It can identify and instrument individual processes, trace memory writes and branches, and dump process memory when a modified memory region is executed. This method works well against common runtime-packers. As Pandora’s Bochs does not rely on debugging facilities provided by the guest system, it is largely unaffected by common anti-debugging techniques. Since its inception as an automated unpacker, Pandora’s Bochs was extended to also monitor calls to the Windows API and their arguments. The presentation will focus on the technical aspects of Pandora’s Bochs. It will give a brief overview of typical runtime packer or executable protector behaviour, about Bochs’s instrumentation facilities and the Python interface that was created. It will detail the techniques used to obtain information about guest operating system and process states, how processes are monitored and unpacked, and how API call tracing is implemented. Like Bochs, Pandora’s Bochs is open source software.

Read more

SRAM-based FPGAs are often touted as being “secure”, in the sense that a design for which only the programming file (“bitstream”) is available cannot be analyzed [1]. Many security features are built on this assumption: anti-cloning protections for hardware, evaluation versions of FPGA designs (IP cores) that stop working after a few hours, …

This security relies on the fact that the bitstream format, despite being unencrypted, is largely undocumented and proprietary and even assuming perfect understanding of the format, recovering a design’s netlist from the information contained in the bitstream solely is a daunting task.

Many security researchers believe that security through obscurity does not work. Could FPGAs prove them wrong? Could obscurity be, for once, an effective means to achieve security? In this case, what would prevent an attacker with knowledge gained from the FPGA manufacturer from injecting malicious code into your sensitive bitstreams without fear of being discovered?

In a world where concerns about hardware security are growing (two years ago, the DARPA launched a challenge where people were supposed to discover malicious insertions made into chips [2]), we will challenge these questions at Hackito Ergo Sum.

You are given bitstreams implementing security features, and your role is to break them. Even though they are significantly simpler than the security systems commonly found in the industry, the basic technique should be essentially the same especially for the last levels of difficulty. The very last one is close to what a real system would look like!

In the first levels, you have more information than the bitstream only, in order to ease your job and give you an insight about what needs to be done in the next levels. Furthermore, there will be a workshop at the beginning of the conference to get you acquainted with some FPGA tools.

THE WORKSHOP
A hands-on workshop will be given at the beginning of HES and shortly after the challenge begins. It will revolve around three subjects:
1/ logic design crash course.
2/ how an FPGA works internally.
3/ how to build a FPGA system-on-chip and how to connect a new peripheral (such as the security device) to an on-chip bus.
This workshop is merely a digest of the previous workshops at /tmp/lab [4] [5].

LEVELS
There are 6 levels of increasing difficulty. They will be announced at the same time as the files for the challenge are posted.

RULES
* Complete files for the challenge will be posted to my blog [9] on April 8th, 10:00 local time.
* Mail the answer(s) to the level(s) you have solved to seb AT tmplab DOT org before April 10th, 18:00 local time.
* You can work alone or in teams.
* You have to explain how you found the answer(s).
* Breaking into my computer is cheating and gets you disqualified. Don’t do it.
* If you do not want to waste time fixing libraries, installing virtual machines, downloading multi-GB files, etc., install Xilinx ISE Webpack before coming and make sure that it works (it rarely does the first time), including the fpga_editor command.
* All bitstreams can be tested on the cheap Avnet Spartan 3A Evaluation Kit [3], making the challenge accessible to everybody. A comprehensive list of commands to perform various operations on this kit is given in [7].
* Some kits are available for lending during the conference, in exchange for a deposit of 70 euros which will be given back to you when you return the kit in good working condition.

REFERENCES
[1] http://www.cl.cam.ac.uk/~sd410/papers/fpga_security.pdf
[2] http://spectrum.ieee.org/semiconductors/design/the-hunt-for-the-kill-switch
[3] http://www.xilinx.com/products/devkits/aes_sp3a_eval400_avnet.htm
[4] http://lekernel.net/blog/?p=668
[5] http://lekernel.net/blog/?p=429
[6] http://www.milkymist.org
[7] http://www.milkymist.org/wiki/index.php?title=Installing_the_Spartan_3A_evaluation_kit_mini-port
[8] http://www.ulogic.org
[9] http://lekernel.net/blog

                -------------------------------------
                --[ Hackito Ergo Sum 2010 Wargame ]--
                -------------------------------------

 We are very pleased to invite you to our custom Hackito Ergo Sum wargame !

--[ Synopsis:
  Steven and our friends from overthewire.org cooked us up some brain
  challenge candies specially for HES : thank you very much guys     

--[ Goal:
  The goal of the wargame is simple: you have to get a shell (as far as we
  know this is still very legal in France as of April 2010 - because we
  grant you the permission to do so) on a computer, and then escalate
  privileges until you get root on a computer dedicated for this purpose
  on our lan. Only it has been set especially for this purpose by one of
  the coolest wargame community    

--[ Rules:
  - be creative.
  - be creative.
  - be creative.
  - the Wargame will be hosted on our lan.
  - the contest to be the first one to root the box starts with the
    beginning of the conference. Challenge your skills and knowledge !

--[ More informations:
  Potential intruders will be updated with information on
  http://hackitoergosum.org regarding how to get access to the wargame
  with the opening of the conference on April 8     

--[ irc channel:
  /server -ssl irc.overthewire.org
  /join #hes

--[ Greetz:
  Steven van Acker for making this happen !!

--[ Concluding:

We wish you best of fun,
Best regards,
--
The HES Team

Here is a list of hotels in close to the event (sorted from
cheaper/recommended to higher prices/not tested

• Cheap (55 euros / night), decent, close to the event (itinerary) :
  Etap Hotel, 45 Rue Docteur Babinski, 93400 Saint Ouen, +33 (0) 1 49 21 90 70‎, Direct: +33 (0) 8 92 68 31 26, +33 (0)8 92 70 12 71

• Hotel Ibis Paris Ornano, Montmartre Nord, 18ème,70 Bis Boulevard Ornano,
  75018 Paris, +33 1 46 06 06 60‎

• Hotel iliade, 51 Rue Letort, 75018 Paris, +33 1 42 57 64 40‎

• Pacific Hôtel, 77 Rue du Ruisseau, 75018 Paris, +33 1 42 62 53 00‎

• Holiday Inn Garden Court Hotel, Paris-Porte De Saint Ouen, 9 Rue La
  Fontaine, 93400 Saint-Ouen, +33 1 49 18 66 66‎, holidayinn.com

For all participants of the FPGA Reverse Engineering Challenge, please install Xilinx ISE Webpack BEFORE coming. This software is really long to install, so if you donnot waste time during the challenge don’t forget to get ready !

The title of the much awaited talk from Julien Vanegue (Microsoft) is being updated, disclosing information about this kind of bug that may unveil new bugs (and then vulnerabilities) in common software.

This talk is now titled “Automated vulnerability analysis of zero-size heap allocations” and gives a glimpse on what will be announced during the conference. Now, I guess there’s a couple of grep and static analysis tools that just got started with a clear objective in mind. I hope it’s with the goal of getting some software more secure

Hackito Ergo Sum is next week ! So get ready ! Here are more important information about the conference:

Social Medias

First, if you didn’t notice it yet Hackito Ergo Sum does have a twitter feed that you can reach here : Twitter Moreover, the official hash tag for the conference is #hes2010

Secondly, we are also on Facebook and you can pre-register your attendance status via Facebook at the following link: Pre-Register to Hackito Ergo Sum via Facebook.

Schedule

Schedule is available as online version at the following link : http://hackitoergosum.org/program/ and as a printable version here.

Location:

Mains d’Oeuvres
1, rue Charles Garnier, 93400 Saint-Ouen

Metro Around:
Porte de Clignancourt (Line 4) or Garibaldi (Line 13)

Hackito Ergo Sum 2010 Program is out. We’re delighted to host such a great selection of great speakers and interesting projects. With speeches ranging from new kind of vulnerability (world first disclosure of this kind of bug from Julien Vanegue, Microsoft) to a network technique for  generic-IP fingerprinting and tracking using hardware-related properties, we can say that this year Hackito Ergo Sum will be rich in content. Several workshops such as FPGA security and reverse engineering challenge, lockpicking or Capture The Flag (CTF) will happen too. Stay tuned for more information and details on the program.

Hackito Ergo Sum is looking for sponsors (no, it will not be on this website, this is a temporary placeholder, but on the definitive, good looking website , in order to cover the cost for the international speakers who have expensive plane tickets.

In case your company would like to sponsor, or that you have a suggestion for a potential sponsor, contact us!

Also, we’re going to release the Call for Papers / Presentation soon: 15th of January. Get ready.